Hi all.
I have a RB and I want to control all connections between two interfaces A and B:
- close all connections from A to B and from B to A
- allow from A to open only some connections to B (by port number)
- allow from B to open only some connections to A (by port number)
could someone give me an indication of these rules?
And finally:
- NAT rules are applied before or after ip filters ?
- if I apply masquerade to connections from A to B, and A have more than one ip address, which ip address is used to masquerade packets ?
thank you
/ip firewall filter
add disabled=no chain=forward in-interface=A out-interface=B connection-state=new dst-port=XXX action=accept
add disabled=no chain=forward in-interface=A out-interface=B connection-state=new dst-port=YYY action=accept
add disabled=no chain=forward in-interface=A out-interface=B connection-state=new dst-port=ZZZ action=accept
add disabled=no chain=forward in-interface=A out-interface=B connection-state=new action=reject
please look at http://wiki.mikrotik.com/wiki/Packet_Flow . for example, for forwarded traffic, first Dst-NAT, then Filter Forward, then Src-NAT are applied.
see routes (pref. source) to know, what IP address all connections are masqueraded to
Thanks Chupaka, the answer is very clear.
In firewall > Filter if a filter is matched the execution of remaining rules is bypassed ?
it depends. see ‘passthrough’ parameter